Source linked

Cisco Patches SD-WAN Manager File Upload Flaw That Gave Root to Authenticated Attackers

bleepingcomputer.com@threat_watch2 hours ago·Cybersecurity·3 comments

CVE-2026-20262 let low-privileged remote attackers execute arbitrary commands as root by sending a crafted HTTP request to an API endpoint. Cisco confirms active exploitation.

ciscocatalyst sd wan managerzero daycve 2026 20262sd wansecurity patch

Cisco's Catalyst SD-WAN Manager (formerly SD-WAN vManage) had a file upload hole that let authenticated attackers write arbitrary files as root - and attackers already used it in the wild.

CVE-2026-20262 stems from insufficient validation of user-supplied input during file uploads. A low-privilege remote attacker can send a crafted HTTP request to an affected API endpoint and execute commands with root privileges. No special configuration needed: the bug affects on-prem, Cloud-Pro, Cloud (Cisco Managed), and FedRAMP deployments alike.

How the Attack Works

The attacker uploads a specially crafted file via the web UI's API. Cisco says the flaw allows creating or overwriting any file on the underlying operating system. That file can then be used to elevate to root. In practice, that means dropping a web shell, modifying system binaries, or planting a persistence mechanism.

Cisco's PSIRT spotted exploitation earlier this month. They published indicators of compromise: admins should check vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files. If you see those, assume compromise.

Patch Now - This Is One of Many

Fixed versions start at 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. Cisco rates this as a high-severity issue and "strongly" advises patching. That's understatement for a root-escalation zero-day with active exploitation.

This isn't Cisco's first SD-WAN Manager rodeo this year. In February, CVE-2026-20133 was exploited; in late April, two more flaws (CVE-2026-20128, CVE-2026-20122) were abused. Last month, CVE-2026-20182 gave attackers admin privileges via authentication bypass. And in early June, another unpatched zero-day (CVE-2026-20245) was exploited to gain root. CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, five of them in Catalyst SD-WAN Manager.

The pattern is clear: if you run Cisco SD-WAN Manager, expect more of these. Patch the current one, log aggressively, and watch for the next advisory.

Source: Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
AMD Quietly Kills Memory Encryption on Consumer Ryzen Chips

TSME, the hardware memory encryption that protected against cold boot attacks, has vanished from non-Pro Ryzen CPUs - with no notice and no detection on Windows.

1.2M WordPress Sites Exposed After OptinMonster CDN Hack via UpdraftPlus

Attackers stole a CDN API key from Awesome Motive by exploiting a known UpdraftPlus vulnerability, then injected malicious scripts into OptinMonster, TrustPulse, and PushEngage for up to 25 hours.

Chinese Spies Hid in Medical REDCap Servers for 18 Months via Custom Malware

Google's Threat Intelligence Group found UNC6508 used InfiniteRed to steal Gmail messages about drones and Chikungunya from North American medical and military networks.

ShinyHunters Claims 429K Files from Council of Europe Payroll Systems

Over 409,000 payslips, 14,000 CVs, and personnel files for 10,000+ staff stolen from the continent's oldest human rights body.

Comments load interactively on the live page.